DHCP Vendor Class Identifier – DHCP Option 60

Reading Time: 4 minutes

In several meetings I get the question, how can I sent different DHCP options to different devices. The answer is to use the DHCP Vendor Class Identifier, DHCP option 60.

Every device sends this option to the DHCP Server, and each DHCP Server can answer with specific options, depending on the option 60. I will use two different switches, an AubaOS switch and a Comware based switch to show the principles. I will provide a different config file for each switch via TFTP.

DHCP Vendor Class Identifier – Get Option 60

The first step is to get the information, what is in option 60 for each device. This could be the tricky part. I always do a Wireshark trace and check option 60 in the DHCP Discover itself. For the Comware Device, which is a 1920, it is this:

HPE. HPE 1920-24G-PoE+ (370W) Switch

For the 2930F it looks like this:

Aruba JL259A 2930F-24G-4SFP Switch dslforum.org

I haven’t found this information in the manuals so far. Maybe a good point for a feature request.

DHCP Vendor Class Identifier – Configure Windows Server

If you have the value for Option 60 for each device, you can start to use them. Open the DHCP management console on the windows server and right click the IPv4 server and select “Define Vendor Classes”. In the pop-up window select “Add”, to create a new class:

DHCP Vendor Class Identifier - Add Vendor Class to Server
DHCP Vendor Class Identifier – Add Vendor Class to Server

After that, you just need to define a new policy for the scope. Select the scope for which you would like to configure the options and create a new policy:

DHCP Vendor Class Identifier - Create new Policy
DHCP Vendor Class Identifier – Create new Policy

Click “Next” to get to the screen, where to define the policy rules:

DHCP Vendor Class Identifier - Create Policy Rules
DHCP Vendor Class Identifier – Create Policy Rules

I only use the created vendor class from above as a rule to use the policy. On the next screen, I do not want to define a special IP range for those devices. They should use the same IP range as the scope itself. On the next page you can now set individual DHCP option for devices with this vendor class:

DHCP Vendor Class Identifier - Create Policy Optons
DHCP Vendor Class Identifier – Create Policy Optons

In my case, this is only option 66 and 67. The next screen is just the summary. Do this for all vendor classes, you need to configure individual options for. That is all.

DHCP Vendor Class Identifier – Configure Linux DHCP Server

If you are running a Linux DHCP server, as I do, the config is even more simple. I use the isc-dhcp-server on Ubuntu:

[email protected]:~$ dhcpd --version
isc-dhcpd-4.4.1

It is very easy to create a class which matches option 60 from the DHCP request. Just open the config file and add the following lines:

#Class to Match Option 60
class "Vendor-Class" {
        match option vendor-class-identifier;
}

In the subnet declaration, you can use this class to send individual options to the switch:

#VLAN 204 LAB_Switch
subnet 10.204.204.0 netmask 255.255.255.0 {
        range 10.204.204.100 10.204.204.199;
        option domain-name "lab.flomain.local";
        option broadcast-address 10.204.204.255;
        option subnet-mask 255.255.255.0;
        option routers 10.204.204.1;
        subclass "Vendor-Class" "HPE. HPE 1920-24G-PoE+ (370W) Switch" {
                option tftp-server-name "10.104.104.10";
                option bootfile-name "comware_config.cfg";
        }
        subclass "Vendor-Class" "Aruba JL259A 2930F-24G-4SFP Switch dslforum.org" {
                option tftp-server-name "10.104.104.10";
                option bootfile-name "arubaos_config.cfg";
        }
}

As you can see, quite easy. You can have multiple subclasses for all of your devices.

From Wireshark, you can now see, that the switch is getting those individual options:

DHCP Vendor Class Identifier - Wireshark with DHCP Option 66 and 67
DHCP Vendor Class Identifier – Wireshark with DHCP Option 66 and 67

This time, a short post. but I’ve got ask this a lot of times during the last month, so I thought it is worth it. If you find this post useful, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and tell me what you don’t like. But whatever you do, leave me a comment.

9 thoughts on “DHCP Vendor Class Identifier – DHCP Option 60”

  1. Hello Florian again,
    we just found out about the following command:
    “show dhcp client vendor-specific”
    It returns the following:
    Vendor Class Id = Aruba JL256A 2930F-48G-PoE+-4SFP+ Switch dslforum.org
    Processing of Vendor Specific Configuration is enabled

    Have fun 🙂
    Best regards

    Reply
    • Yeah, I discovered this command yesterday as well. Makes it a little bit easier. But a list of those fields for every switch would even be better.

      Reply
  2. Hello Florian!

    Unfortunately I can not find a complete configuration for the ISC DHCP. Can you please publish your configuration as an example in your forum? I want to do ZTP with Aruba APs and Switch …

    Reply
    • Hi Martin,

      Thanks for your comment. If I have my home lab back online (currently I’m in the middle of relocation to my new home) I will post my whole config here.

      BR
      Florian

      Reply
    • hi Martin,

      It took a while to rebuild the lab completely, but here is my ISC DHCP config:

      # dhcpd.conf

      # option definitions common to all supported networks...
      option domain-name "flomain.local";
      option domain-name-servers 10.104.104.21,10.104.104.22;
      option ntp-servers 10.104.104.21,10.104.104.22;

      default-lease-time 86400;
      max-lease-time 604800;

      # The ddns-updates-style parameter controls whether or not the server will
      # attempt to do a DNS update when a lease is confirmed. We default to the
      # behavior of the version 2 packages ('none', since DHCP v2 didn't
      # have support for DDNS.)
      ddns-update-style interim;
      ddns-updates on;
      ignore client-updates;
      update-static-leases on;

      include "/etc/dhcp/ddns.key";

      zone flomain.local. {
      primary 127.0.0.1;
      key DDNS_UPDATE;
      }

      zone 10.in-addr.arpa. {
      primary 127.0.0.1;
      key DDNS_UPDATE;
      }

      # If this DHCP server is the official DHCP server for the local
      # network, the authoritative directive should be uncommented.
      authoritative;

      # Use this to send dhcp log messages to a different log file (you also
      # have to hack syslog.conf to complete the redirection).
      #log-facility local7;

      failover peer "cluster-1" {
      primary;
      address hellcat-1.flomain.local;
      port 519;
      peer address hellcat-2.flomain.local;
      peer port 520;
      max-response-delay 60;
      max-unacked-updates 10;
      mclt 3600;
      split 128;
      load balance max seconds 10;
      }

      omapi-port 7911;
      omapi-key omapi_key;

      key omapi_key {
      algorithm hmac-md5;
      secret top_secret;
      }

      #Class to Match Option 60
      class "Vendor-Class" {
      match option vendor-class-identifier;
      }

      #VLAN 102 10.102.102.0/24 - IAP Management
      subnet 10.102.102.0 netmask 255.255.255.0 {
      pool {
      failover peer "cluster-1";
      deny dynamic bootp clients;
      range 10.102.102.100 10.102.102.199;
      }
      option subnet-mask 255.255.255.0;
      option routers 10.102.102.1;
      }

      #VLAN 104 10.104.104.0/24 - local subnet without DHCP
      subnet 10.104.104.0 netmask 255.255.255.0 {}

      #VLAN 107 10.107.107.0/24 - IoT Network
      subnet 10.107.107.0 netmask 255.255.255.0 {
      pool {
      failover peer "cluster-1";
      deny dynamic bootp clients;
      range 10.107.107.100 10.107.107.199;
      }
      option subnet-mask 255.255.255.0;
      option routers 10.107.107.1;
      }

      #VLAN 108 10.108.108.0/24 - IoT Network
      subnet 10.108.108.0 netmask 255.255.255.0 {
      pool {
      failover peer "cluster-1";
      deny dynamic bootp clients;
      range 10.108.108.100 10.108.108.199;
      }
      option subnet-mask 255.255.255.0;
      option routers 10.108.108.1;
      }

      #VLAN 202 10.202.202.0/24 - LAB_CAP_Management
      subnet 10.202.202.0 netmask 255.255.255.0 {
      pool {
      failover peer "cluster-1";
      deny dynamic bootp clients;
      range 10.202.202.100 10.202.202.199;
      }
      option subnet-mask 255.255.255.0;
      option routers 10.202.202.1;
      option domain-search "lab.flomain.local";
      option domain-name "lab.flomain.local";
      subclass "ArubaAP-Class" "ArubaAP" {
      option vendor-class-identifier "ArubaAP";
      option master 10.201.201.30;
      }
      }

      #VLAN 204 LAB_Switch
      subnet 10.204.204.0 netmask 255.255.255.0 {
      pool {
      failover peer "cluster-1";
      deny dynamic bootp clients;
      range 10.204.204.100 10.204.204.199;
      }
      option domain-name "lab.flomain.local";
      option broadcast-address 10.204.204.255;
      option subnet-mask 255.255.255.0;
      option routers 10.204.204.1;
      subclass "Vendor-Class" "HPE. HPE 1920-24G-PoE+ (370W) Switch" {
      option tftp-server-name "10.104.104.10";
      option bootfile-name "comware_config.cfg";
      }
      subclass "Vendor-Class" "Aruba JL259A 2930F-24G-4SFP Switch dslforum.org" {
      option tftp-server-name "10.104.104.10";
      option bootfile-name "arubaos_config.cfg";
      }
      }

      #vlan 4000 192.168.2.0/24 - old VLAN for clients
      subnet 192.168.2.0 netmask 255.255.255.0 {
      pool {
      failover peer "cluster-1";
      deny dynamic bootp clients;
      range 192.168.2.100 192.168.2.199;
      }
      option subnet-mask 255.255.255.0;
      option routers 192.168.2.1;
      }

      hope this helps in your setup.

      BR
      Florian

      Reply
    • Hi Jacques,

      Thanks for the feedback. Really appreciated. If you are looking for more or different information about this or other network-related stuff, just let me know. It is very helpful for me to know, what you are looking for.

      BR
      Florian

      Reply

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: